FW: [sclug] Firewalls
lug at assursys.co.uk
lug at assursys.co.uk
Sat Oct 25 09:05:32 UTC 2003
On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
> lug at assursys.co.uk wrote:
> > On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
> >>Yes, but NAT sould only change the envelope part of the packet and not the
> >>contents.
> >
> >
> > That depends. It's impossible to get some protocols (non-PASV FTP being the
> > most notable) working without modifying the payload. Yes, this is prone to
> > error - consider what happens to the size of the packet if the client
> > address is 1.2.3.4 and the NATted address is 111.122.133.144. Now consider
> > what happens if the payload was already of size (MTU-40)...
> >
>
> That's not a nice exercise to leave to the reader. :-)
> Though my guess is
>
> MTU - 40 = MTU - Envelope
>
> then in the envelope 1.2.3.4 would be 00000001 00000010 00000011 00000100
> and 111.122.133.144 would be 01101111 01111010 10000101 10010000
>
> in that case the envelope does not change size.
It would be, apart from the fact that FTP uses ASCII when sending PORT
commands... suddenly your packet is 4x2=8 bytes longer than it was. But the
packet was already at maximum MTU size! Yow!
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950 <http://www.assursys.com/>
More information about the Sclug
mailing list